1. Field of the Invention
The present invention relates to a technique for authenticating whether a user has the authority to receive service in connection with restrictions such as the term of utilization. According to this technique, the authentication fails if information on the restrictions has been altered. The present invention is also concerned with a technique for decrypting encrypted messages. Particularly, it is verified that information pieces annexed to messages such as information on the term of utilization and control information have not been altered, and only when such information pieces have not been altered, the messages are decrypted correctly.
2. Description of the Prior Art
According to a conventional method for authenticating whether a user has the authority to receive service, the authentication side issues a physical ticket or membership card in advance and the user presents the ticket or the membership card when the user is to receive the service. In this case, the service offerer checks, on the spot, the information pieces described on the ticket or the like such as the valid term and the type of service and thereby effects checking and authentication of conditions. However, since the ticket itself is a physical existence, drawbacks have heretofore been encountered such as an increase in cost for the distribution of such tickets to users or an increase in the ticket manufacturing cost because of a requirement for taking a certain measure to make ticket forgery difficult. On this regard, by making the ticket electronically operable, it becomes possible to reduce the cost of manufacture and distribution. Related techniques are disclosed in Japanese Published Unexamined Patent Application No. Sho 62-171071 entitled xe2x80x9cIC Card for Advance Transactionxe2x80x9d and Japanese Published Examined Patent Application No. Hei 6-22032 entitled xe2x80x9cPublic Services Payment System using Electronic Card.xe2x80x9d In these techniques, however, electronic information corresponding to a ticket is merely nullified upon receipt of service, making no contribution to the implementation of a more versatile ticket such as a coupon type ticket or a combination of a limitation on the term of utilization with a limitation on the amount of utilization. In addition, the above conventional techniques lack in any protective measure against wiretapping of communication between the card and the host at the time of obtaining a ticket electronically or against illegitimate utilization of a ticket made by replay attack.
Further, as a conventional technique involving an additional function of restricting utilization on encrypted digital information, there is known a technique disclosed in Japanese Published Unexamined Patent Application No. Hei 7-131452 which is directed to xe2x80x9cDigital Information Protecting Method and Processing Device Therefor.xe2x80x9d In the invention disclosed therein, digital information is represented by a set of information identifying number, information itself, utilization conditions information, and authenticator. Further, upon input of digital information into a computer, there is generated a second identifier relating to the information identifying number and the utilization conditions information. Then, in utilizing the digital information, there is made verification using two identifiers as to whether or not the utilization conditions described in the utilization conditions information are satisfied, and only when all of the points to be verified have been verified normally, the digital information is decrypted and converted into a utilizable form. However, according to the method disclosed in the above Hei 7-131452, both information itself and utilization conditions are encrypted using the same encryption key for the assurance of a legitimate combination of the two, so when an attempt is made to change utilization conditions for each user, for example, it is necessary to perform encryption every time communication is made or provide corresponding ciphers beforehand for each communication. Thus, the above method has not been suitable for a large-volume distribution of digital information using CD-ROM or the like or for a broadcast that utilizes a satellite broadcast.
The present invention has been accomplished in view of the above-mentioned problems. According to what is intended by the present invention, at the time of authenticating whether or not a user has the authority to utilize service, what is corresponding to the conventional ticket is made electronic, and in determining whether or not the electronic information thus obtained is legitimate, it is possible to set flexible conditions such as the valid term and a limitation on the number of times of utilization, or a combination thereof, while ensuring safety; further, in the event the conditions should have been altered, authentication is not effected affirmatively.
According to another object of the present invention, at the time of conditionally decrypting an encrypted digital information, it is possible to set decryption conditions, etc. for utilization of the digital information in a decrypted state, which decryption conditions, etc. are independent of the encrypted digital information itself, and therefore it is easy to allocate different conditions, etc. for each user; further, in the event decryption conditions have been altered, decryption of the digital information is not performed correctly.
In the present invention, for achieving the above-mentioned object, an authentication device includes a proof data generation device in which data is generated for authenticating the authority of a user and verification device for verifying the legitimacy of the generated proof data; the proof data generation device includes a first memory part that stores authentication data generated by the verification device, a second memory part that stores control information for generating the proof data, a third memory part that stores proof support information calculated from authentication characteristic information and the control information which is for generating the proof data, and a proof data generation part that generates proof data on the basis of the information pieces stored in the above memory parts; the verification device includes a verification part that verifies that the proof data generated by the proof data generating part is based on the authentication characteristic information; and the authentication characteristic information is a decryption key used in an asymmetric cryptosysytem which utilizes a discrete logarithmic problem on a finite group G.
According to this construction, first, at the time of determining the legitimacy of an electronic ticket, it is possible to set flexible conditions such as the valid term and a limitation on the number of times of utilization, or a combination thereof, while ensuring safety. In addition, it is possible to make control so that authentication is not performed affirmatively in the event those conditions have been altered. Secondly, in the case of conditionally decrypting an encrypted digital information, it is possible to set decryption conditions, etc. for utilization of the digital information in a decrypted state. Further, the decryption conditions, etc. are independent of the encrypted digital information itself, so that it is easy to allocate different conditions, etc. for each user, and in the event of alteration of the decryption conditions, etc., it is possible to prevent the digital information from being decrypted correctly.
Moreover, by using as the authentication characteristic information an asymmetric cryptosysytem which is defined on an elliptic curve on a finite field, there is attained equivalent safety even with a shorter key length in comparison with the use of an RSA public key cipher for example, and the processing can be done at a high speed.
The present invention can be implemented as a method or as a computer program product.
[Entire Constitution]
An entire constitution in the mode for carrying out the present invention will be described below before making reference to concrete embodiments of the invention.
A description will first be given of the case where the present invention is used for controlling the execution of an application program which is executed on a user""s PC (personal computer) or work station.
FIGS. 1 and 2 illustrate device configurations used in the mode for carrying out the invention. FIG. 2 is of the same configuration as FIG. 1 except that a proof data verification device 100 used therein also serves as a proof data generation control information generating device 400 shown in FIG. 1. Therefore, the configuration of FIG. 1 will mainly be described below.
In FIG. 1, an authentication device according to the present invention includes a proof data verification device 100 (hereinafter also referred to simply as xe2x80x9cverification devicexe2x80x9d), a proof data generation device 200 (also simply as xe2x80x9cproving devicexe2x80x9d), an access ticket generation device 300 and a proof data generation control information generating device 400. The proof data verification device 100 includes a proof data memory unit 101, a verification part 102 and an execution part 103. The proof data generation device 200 includes a user unique identifying information memory unit 201, a proof data generation part 202, an access ticket memory unit 203 and a proof data generation control information memory unit 204. The access ticket memory unit 203 holds proof support information (referred to as access ticket). The proof data generation control information memory unit 204 holds information (referred to as proof data generation control information) for controlling the generation of proof data. The access ticket generation device 300 generates an access ticket and transfers it to the proof data generation device 200. The proof data generation control information generating device 400 generates proof data generation control information and transfers it to the proof data generation device 200.
In the configuration of FIG. 1, the proof data generation device 200 can be implemented as a proof program on a computer which the user employs. In this case, if the user can copy and distribute unique identifying information (user unique identifying information) for identifying the user, even users not having a legitimate utilization right are allowed to use the application program. In this point of view, the user identifying information is loaded into the computer so that even the user as a legitimate information holder cannot steal the information, and it is possible also to use proof hardware (e.g. IC card or board) having an anti-tamper characteristic. The use of such portable hardware as IC card is convenient for the user to perform works on plural PCs or work stations.
The proof data verification device 100 is constituted as part of the application program utilized by the user. More specifically, once the user starts the application program on a PC or a work station, the proof data verification device 100 described as a program in the application program is started and makes communication with the proof data generation device 200 to authenticate the user. Only when the communication is terminated correctly, the execution of the application program is made possible.
In order for the user to utilize the above application program with the proof data verification device 100 embedded therein, there are needed proof support information (access ticket) and control information (proof data generation control information) for the generation of proof data, which are issued to the user and correspond to the application program. The proof data generation control information is used for determining whether the utilization of the application program meets the conditions for use which the user is required to satisfy at the time when the proof data generation device 200 generates proof data. As to the proof data generation control information, the user acquires the same information generated by the proof data generation control information generating device 400 as shown in FIG. 1, or it is transmitted together with authentication data to the proof data generation device 200 from the proof data verification device 100 and is registered therein, as shown in FIG. 2. Although the following description follows the configuration shown in FIG. 1, it is also true of the configuration shown in FIG. 2. The user registers the acquired access ticket and control information for the generation of proof data into the proof data generation program installed on the PC or the work station. For example, when the user unique identifying information is sealed in an IC card, the user loads the IC card into the PC or the work station. The access ticket may be placed on the PC or the work station, or it may be put into the IC card.
The proof data generation device 200, which is composed of the program installed on the PC or the work station and the IC card, makes calculation on the basis of the user unique identifying information, the access ticket and the control information for the generation of proof data, and then communicates with the proof data verification device 100 on the basis of the calculation. In the course of this calculation there is used the user identifying information. Leakage of the user identifying information to the outside would give rise to a problem, so it is necessary that at least a part of the program be protected by a protective part such as an IC card.
The case where the authentication by the proof data verification device 100 becomes successful as a result of the communication is limited to the case where the following four are correctly correlated with one another: user unique identifying information, access ticket, proof data generation control information, and unique security characteristic information verified by the proof data verification device 100. If any one of the user unique identifying information, access ticket and proof data generation control information is omitted, the authentication will not be successful.
Each access ticket is issued for a specific user, taking into account conditions for use of an application program allowed to the user. In generating the access ticket, there are used the unique identifying information of the specific user and the proof data generation control information. If the user unique identifying information used at the time of generating the access ticket and the user unique identifying information used by the proof data generation device 200 are not coincident with each other, or if the utilization of the application program does not meet the conditions for use which are based on the proof data generation control information and which should be satisfied by the user, the authentication will not be successful.
The access ticket is generated on the basis of specific unique security characteristic information, and the proof data verification device 100 is configured so as to authenticate the unique security characteristic information. Therefore, also when the characteristic information used in generating the access ticket and the characteristic information to be authenticated by the proof data verification device 100 embedded in the application program do not correspond to each other, the authentication will not be successful.
There may be adopted a configuration wherein the application program is executed on another computer coupled to the user""s computer through a network and the results of the execution are transmitted to the user""s computer through the network. This configuration is based on what is called a server-client model. In the foregoing execution control for the application program executed on the user""s PC or the work station, the communication between the proof data generation device 200 and the proof data verification device 100 is carried out as so-called interprocess communication while, when the server-client model is followed, the communication between the proof data generation device 200 and the proof data verification device 100 is carried out as communication which follows a network protocol such as TCP/IP (Transmission Control Protocol/Internet Protocol).
The present invention is applicable also to the case where an application program is formed on a dedicated device. For example, it is assumed that the whole of the proof data generation device 200 is mounted within an IC card and that the acquired access ticket and proof data generation control information are also registered in the IC card. The dedicated device, on which the proof data verification device 100 is mounted, is provided with a slot for insertion therein of an IC card. The user inserts his or her IC card into the slot to effect authentication.
Such a configuration using the dedicated device is applicable, for example, to an ATM (automatic teller machine) in a bank or a game machine in a game center.
As methods for the user to acquire the access ticket and the proof data generation control information, there are a method wherein a common center, which issues those information pieces, generates and distributes them in compliance with the user""s request for issuance and a method wherein the person who has prepared the application program generates, in an each individual manner, the information pieces in question with the aid of an access ticket issuing program and the access ticket generation device 300, as well as a proof data generation control information issuing program and the proof data generation control information generating device 400.
In the above methods, the generation devices are managed by the ticket issuer and the access ticket, etc. are generated and distributed independently of the user environment by a legitimate right holder thereof.
The generated access ticket and proof data generation control information may be distributed to the user through a portable storage medium such as floppy disk. Since the access ticket is sufficiently safe, there maybe adopted a configuration using an electronic mail or the like for distribution through a network.
The safety of the access ticket involves the following two properties.
1) The access ticket is a subscribing type ticket. That is, only the user to whom the access ticket has been issued (to be exact, the person who holds the user unique identifying information used in the generation of the access ticket) can operate the proof data generation device 200 correctly with use of the access ticket. Therefore, even if a third party of malice has acquired the access ticket of another user in an illegitimate manner, it is impossible for the third party to utilize the access ticket unless the third party acquires the unique identifying information of the regular user to whom the access ticket has been issued.
2) The access ticket possesses more strict safety. Even if a third party of malice collects any number of access tickets and conducts an analysis, it is impossible for the third party to forge another access ticket on the basis of the information obtained, nor is it possible for the third party to configure a device which attains authentication in imitation of the operation of the proof data generation device 200.